By Ian Sherr

It used to be an easy call for the IT department when an employee’s BlackBerry was lost or stolen: If it contained sensitive information, technology teams at many companies had no qualms about remotely wiping all of the data on the device.

Today, however, there has been a flood of personal computing devices into the workplace, in the form of smartphones and tablet computers. Companies have begun installing their email, calendars and apps on devices that often already contain an employee’s family photos, music and emails.

This vast co-mingling of personal and company data has raised questions as to where responsibility for the security of the devices ultimately lies. And it puts the IT department in a new and ticklish situation, should a data breach be feared, because now a remote wipe of the device can delete an employee’s personal data as well.

The remote wipe is only one of the challenges raised by the recent and rapid merging of personal and work devices. There are security concerns as well. For example, any app downloaded to a smartphone or tablet might contain a virus or malware designed to steal company data on the device. The cameras and Bluetooth wireless transmitters found on most devices could make leaks more likely, too—inadvertent and intentional.

This vast co-mingling of personal and company data has raised questions as to where responsibility for the security of the devices ultimately lies. And it puts the IT department in a new and ticklish situation, should a data breach be feared, because now a remote wipe of the device can delete an employee’s personal data as well.

The remote wipe is only one of the challenges raised by the recent and rapid merging of personal and work devices. There are security concerns as well. For example, any app downloaded to a smartphone or tablet might contain a virus or malware designed to steal company data on the device. The cameras and Bluetooth wireless transmitters found on most devices could make leaks more likely, too—inadvertent and intentional.

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published April 2, 2012, in the Wall Street Journal.)

By Ian Sherr

Sony Corp. is preparing to release its first major game for the PlayStation Network online gaming service since hackers broke in and stole account information from millions of users earlier this year.

The game’s release marks a milestone for the Japanese electronics giant in its ongoing recovery from the hacking attacks that occurred in mid-April, which compromised the personal information of roughly 77 million accounts in the system.

Sony voluntarily shut down its network for roughly a month, slowly bringing back different levels of functionality over time. The company said 94% of preoutage activity returned immediately, and that it hit 100% over the summer. The company says it has also added 3 million accounts since the outage.

This holiday season, led by Sony’s “Uncharted 3: Drake’s Deception,” will be the next test of the system. The game will be released on Nov. 1, and will join this year’s slate of high-profile games that rely heavily on network components, including Activision Blizzard Inc.’s “Call of Duty: Modern Warfare 3″ game and Electronic Arts Inc.’s “Battlefield 3.”

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published Oct. 27, 2011 in the Wall Street Journal.)

By Ian Sherr

One day five months ago, Karim Hijazi saw an unusual sight while reading his work email. A message that had been marked as “read” was suddenly marked “unread.”

What the founder of Unveillance, a computer-network security firm, soon learned was that hackers had broken into his account.

The hackers gained access to his email by stealing log-in information from an insecure website, which they then matched up with a password they found on the Internet. After downloading all of his emails, the hackers sent Mr. Hijazi a message demanding he share sensitive security information with them. When he refused, the hackers released his emails on the Web.

“It was like a baby with a gun,” he says.

Mr. Hijazi is one of the latest victims of computer hackers focused on getting into websites, corporate networks and email accounts by using legitimate passwords. Many break into poorly secured websites, steal databases filled with personal information and then comb through that data for log-in information for companies, government agencies and banks.

The growing frequency of these attacks has pushed companies to seek other forms of data protection than simple passwords.

Demand for additional barriers and detection programs is already large. Sales of these types of products topped $900 million world-wide last year, according to International Data Corp., and the Framingham, Mass.-based research firm expects the market to double by 2015.

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published Sept. 26, 2011 in the Wall Street Journal.)

By Ian Sherr and Nick Wingfield

On a Tuesday afternoon last month, engineers working for Sony Corp. were baffled when several servers running the company’s PlayStation Network suddenly turned themselves off and then back on.

At the time, the unexpected rebooting seemed like an odd malfunction. The next day, however, the engineers found the first evidence that an intruder had penetrated Sony’s systems, prompting the Japanese company to take what it calls “the almost unprecedented step” of shutting down the popular online gaming network.

Sony Chief Executive Howard Stringer issued a public apology this week for what the company later disclosed was a data breach that compromised more than 100 million user accounts on three public networks, and a delay in informing users of the theft. Sony says the loss included users’ names, birthdates and passwords. It also hasn’t ruled out the loss of credit card numbers associated with the Sony PlayStation network.

Some analysts believe the incident, which has drawn the attention of authorities around the world, will cost the company more than $1 billion for measures that include new security and a $1 million insurance policy for any victims of identity theft. The company hasn’t provided its own estimate of the cost. It also hasn’t resumed operating the network, but has said it is in final testing and is expected to do so within days.

“Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries,” this ranks “at the top” of data breaches to date, said Cynthia Larose, an attorney specializing in privacy matters with Mintz Levin in Boston.

PlayStation Network, which is accessed by owners of Sony game consoles, uses 130 server systems, 50 software programs and has 77 million user accounts, according to a letter that Kazuo Hirai, president and group chief executive of Sony Computer Entertainment Inc., sent Wednesday to a U.S. congressional committee. That letter, and a similar account included in a letter Friday to Sen. Richard Blumenthal (D., Conn.) provide the most detailed accounts of the incident.

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published May 7, 2011, in the Wall Street Journal.)

By Ian Sherr

New details emerged about Sony Corp.’s investigation into one of the biggest data breaches in history, as the company attempts to piece together who stole personal information from more than 100 million accounts on its online game networks.

At least some of the attacks came from a Malaysia-based server, a person familiar with the matter said, though it wasn’t clear if any of the hacking was actually done from there, or whether only the server there was used.

On Tuesday, a U.S. spokesman for Sony confirmed some of the companies helping to investigate the breach and secure its network against further intrusions. The security firms named are Protiviti Inc., Guidance Software Inc. and Data Forté Corp., which specialize variously in forensic computer investigations and security consulting.

The company has also retained the services of the law firm Baker & McKenzie in connection with the matter. Representatives of the law firm and two of the security firms didn’t respond to requests for comment. Guidance Software declined to comment.

Political pressure on Sony for a more complete accounting of its handling of the data breach has been increasing. Sen. Richard Blumenthal (D., Conn.) on Tuesday sent a letter to Sony executives saying he is “deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised.”

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published May 4, 2011, in the Wall Street Journal.)

By Ian Sherr

Plaintiffs lawyers are targeting Sony Corp. with class-action suits after a breach of the company’s online-game network compromised the personal information of millions of users.

In one lawsuit, filed in the U.S. District Court’s Northern District of California, videogame player Kristopher Johns said Sony’s security was negligently poor and the company failed to encrypt personal information.

The lawsuit, which was filed Wednesday against Sony’s U.S. entertainment unit and seeks class-action status, also alleges Sony failed to notify customers of the breach in a timely manner.

“This has caused, and continues to cause, millions of consumers fear, apprehension, and damage,” the filing said.

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published April 29, 2011, on the Wall Street Journal website.)

By Nick Wingfield, Ian Sherr and Ben Worthen

A hacker stole the names, birth dates and possibly credit-card numbers for 77 million people who play online videogames through Sony Corp.’s PlayStation console, in what could rank among the biggest data breaches in history.

Sony, whose gaming network has been offline for six days, disclosed Tuesday that an “illegal and unauthorized intrusion” between April 17 and April 19 resulted in the loss of a significant amount of personal information that could be used in identity theft.

The PlayStation Network is used by owners of the company’s game machine to play against one another, chat online and watch movies streamed over the Internet. Sony warned users the intruders may have accessed billing addresses, purchase histories and account information for their children.

Fueled by fast Internet connections, online-gaming services have become global social hubs for tens of millions of people who spend hours competing and cooperating on fantasy quests, combat missions and other activities. People across the globe pay monthly fees to play online-computer games like “World of Warcraft.” Most titles for the PlayStation 3 and Microsoft Corp. Xbox 360 have online components.

Sony warned members of its PlayStation Network and a related entertainment service called Qriocity to closely watch their credit card statements for unauthorized charges. It also told members to be on guard against email, telephone and postal scams aided by the lost personal information.

“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Sony said in a blog post.

The PlayStation Network, meanwhile, remains out of commission, sowing frustration among gamers. In the blog post, Sony spokesman Patrick Seybold said the company has a “clear path” to restore “some services within a week.”

The incident is a major black eye for the Japanese electronics giant, locked in an increasingly heated battle with Microsoft, Nintendo Co. and other companies in the gaming market. The breach also highlights the trove of personal information stored in online-gaming services.

E.J. Hilbert, a former agent with the Federal Bureau of Investigation who is now a senior vice president at security consulting firm Arixmar, called the compromise of as many as 77 million users accounts “huge.”

To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)

(Originally published April 27, 2011 on the front page of the Wall Street Journal.)